PT-2026-57406 · WordPress · Wcfm – Frontend Manager For Woocommerce
Mrholmes
+1
·
Published
2026-07-11
·
Updated
2026-07-11
·
CVE-2026-10041
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
WCFM – Frontend Manager for WooCommerce versions prior to 6.7.28
Description
An Insecure Direct Object Reference (IDOR) exists in the
wcfm product archive endpoint due to missing validation on a user-controlled key. This allows authenticated attackers with subscriber-level access or higher to archive products of arbitrary vendors, toggle the featured status of arbitrary listings, mark arbitrary WooCommerce orders as completed, and permanently delete bulk messages and enquiries belonging to other vendors.Recommendations
Update WCFM – Frontend Manager for WooCommerce to version 6.7.28 or later.
Fix
IDOR
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Wcfm – Frontend Manager For Woocommerce